[SOLVED] Virus infecting my USB's. makes all the file .cmd executables

[TheBrokenMan]

So I have this virus on my netbook, it is very annoying, whatever USB I plug in automatically turns all the files inside it into "shortcuts" and run a CMD exectuable. I would prefer using the "reinstall OS from scratch as a last resort, but can someone tell me an easier solution outside of running an anti virus / scan etc? if so can you please tell me something light?

Its a netbook with 1 GB of ram so please be gentle.

The files and all run but if I do run something then it shows a cmd box for a split second and disappears, and then the file runs.

can someone please help me get rid of this pain in the ass virus?

Forgot to mention system

running a netbook

1.6 Ghz Atom
1GB Ram
160GB HDD

etc and on Win 7 32 bit

 

[hotgamerft]

Answer this:
Does the icon of the folders change? Or do they look like the same in the flash drive?

Try this:
Open up my computer, select tools from the menu and then folder options. Click on the view tab and then enable hidden files and folders.
Uncheck the box showing the text: "Hide extension of known file types".

Now if the extension of the folders is .exe you have to delete those because the actual folders are hidden but are marked as System files. In order to view them you, have to uncheck the box showing the text: "Hide Protected Operating System files"

 

[TheBrokenMan]

Answer this:
Does the icon of the folders change? Or do they look like the same in the flash drive?

Try this:
Open up my computer, select tools from the menu and then folder options. Click on the view tab and then enable hidden files and folders.
Uncheck the box showing the text: "Hide extension of known file types".

Now if the extension of the folders is .exe you have to delete those because the actual folders are hidden but are marked as System files. In order to view them you, have to uncheck the box showing the text: "Hide Protected Operating System files"

The icon changes to a shortcut icon and their extension changes completely from say .avi to .exe / .cmd

 

[margallar]

turn off autoplay using gpedit.msc, google it

 

[assasin42o]

Re: Virus infecting my USB's. makes all the file .cmd executables.

You don't want to run anti virus, you don't want to install new Windows... There's no other reasonable option

Sent from my Live with Walkman using Tapatalk

 

[TheBrokenMan]

ran a full scan with malware bytes anti-malware and still have the issue, this is the problem I am having.

As you can see, it makes it into a short cut and the cmd screen only comes for a micro second, cant capture it with print screen.

anyone have any ideas? For some reason, files in folders aren't affected, only the files on the root directory are. if I put the file in a folder then the short cut doesnt come.

BIG UPDATE:

I found out that a file named "Serviec.vbe" is the cause, I went to folder options, made hidden files visible and saw that Game of Thrones (Avi file) had been made invisible. So I deleted the 'shortcut' and made the avi file visible, now I can do this everytime I plug in a USB but I used msconfig to trace back the file. to

C:\Users\Rizwan\AppData\Local\Temp

I have the file with me but everytime I try to delete it, I get the following error.

now if someone can help me get past THIS phase, this would be the answer to my prayer!

 

[abobobilly]

[MENTION=1161]TheBrokenMan[/MENTION]! Its not a problem.

===========

The Solution

1. Plug in the USB and open the Drive. (say, "E" drive)

2. Press Windows Button, and type "cmd" in Start Menu. Select cmd and Run as Admin.

3. Enter this command, attrib -h . /s /d

4. Press Enter and wait for the command to execute.

5. When finished, Eject the USB.

5. Plug it back in & Open the thumb drive and you should see the files that were hidden by the virus.

I saved this procedure long time ago so I am sorry if I am not mentioning the source. So, credit goes to original author.

===========

Furthermore, Does this happen everytime you plug in the USB? Because if it does then your PC is definitely infected. Virus scans won't do any good.

Download a software called "Trojan Remover". You should be able to find a cracked version from any Warez site, say warez-bb. You don't necessarily have to download the cracked version as you can download the 30 days trial. You only need to use it once anyway. But its totally upto you.

Install it, Update the translations and Scan the PC with it. If it founds anything, it'll ask you multiple options. Choose "Rename the File" and move on. I am sure your problem will be resolved.

 

[aura]

run malwarebytes anti-malware full scan (i sugges u install it, dont enable free trial , update and scan PC in safe mode, a full scan not quick scan)
further you need an AV , try MS' own security essentials , aint bad or use USB disk security.

 

[TheBrokenMan]

Sorry for not replying, was busy in some other stuff.

I managed to get rid of the virus on my own, here is what I discovered, the virus is a script file called "Serviec.vbe" (that IS the spelling, not a typo)


(Before going to the below directory, follow the above posts to find out how to enable hidden files to be visible)

It resides in C:\Users\[your name here, in my case, Rizwan]\AppData\Local\Temp\Serviec.vbe

Now, in active windows you CAN'T delete it so you will have to do the following

*Win key + R and regedit to

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

and in there you will see a registry entry for Serviec.vbe, right click both modify options and delete all the data in both and then delete the main entry too.

then again win key + r to msconfig and untick Serviec.vbe in startup tab

now reboot your device and hammer F8 at the bios screen, go into safe mode and do the above two steps again BUT this time a 3rd step will be added, you will have to go to

It resides in C:\Users\[your name here, in my case, Rizwan]\AppData\Local\Temp\Serviec.vbe

and delete the VBE file at the end of the location above, the script host won't be running under safe mode so you can safely delete it.

BEFORE YOU exit safe mode, make sure that Serviec.vbe is gone from both the regedit and the msconfig in the above steps!

I was surprised that there weren't any better solutions for this on the net and no number of AV or otherwise could detect this even when I directed the softwares to them.

This virus is especially viral in universities, I got this from lending my netbook to a friend =/

I hope that the info I gave is helpful to someone else.

 

[mave3]

There are loads of good antiviruses out there..
Did u try to clean them with Avast?
u should have given it a try with that..

but if the issue is resolved now...thats a good thing..
use Autoremover as well for USb...
very good utility to stop malware and viruses from entering in the USB...

 

[Newton]

as a quick tip when something like this happens and u need to view the hidden files; they can be viewed by browsing via winrar